[jboss-jira] [JBoss JIRA] (WFCORE-644) jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores

Derek Horton (JIRA) issues at jboss.org
Thu Apr 16 17:07:19 EDT 2015 

Derek Horton created WFCORE-644:
-----------------------------------

             Summary: jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores
                 Key: WFCORE-644
                 URL: https://issues.jboss.org/browse/WFCORE-644
             Project: WildFly Core
          Issue Type: Bug
          Components: CLI
            Reporter: Derek Horton
            Assignee: Alexey Loubyansky


The cli's SSL configuration should be expanded to support using PKCS11 keystores/truststores.  Currently it does not appear to be possible to configure the keystore/truststore type in the jboss-cli.xml file.

This is problematic when the JVM is running in FIPS mode.

The cli throws the following exception on startup:

$ ./bin/jboss-cli.sh 
org.jboss.as.cli.CliInitializationException: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
        at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:541)
        at org.jboss.as.cli.impl.CommandContextImpl.<init>(CommandContextImpl.java:291)
        at org.jboss.as.cli.impl.CommandContextFactoryImpl.newCommandContext(CommandContextFactoryImpl.java:76)
        at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:294)
        at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:277)
        at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:34)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.jboss.modules.Module.run(Module.java:312)
        at org.jboss.modules.Main.main(Main.java:460)
Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
        at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:126)
        at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:89)
        at javax.net.ssl.SSLContext.init(SSLContext.java:283)
        at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:537)
        ... 11 more


It is possible to workaround the issue by setting the javax.net.ssl.keyStore / javax.net.ssl.trustStore system properties in the bin/jboss-cli.sh file:

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"                                                                          
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"  




--
This message was sent by Atlassian JIRA
(v6.3.11#6341)

More information about the jboss-jira mailing list